IPG Doc

User Tools

Site Tools

Trace: apache-https
administration:apache-https

Apache https config

httpd.conf

I order to activate the https support you have to check that in the /etc/httpd/conf/httpd.conf the support for VirtualHost is activated and that the NameVirtualHost is configured as this: 

NameVirtualHost <ip of the web server>:80
NameVirtualHost <ip of the web server>:443

Avoid the format 

NameVirtualHost *:80
NameVirtualHost *:443

as this doesn't permit the creation of multiple https instances on the server.

Creation of certificate

For a self-Signed certificate we must create the Certification Autority (ourself) certificate, and then create the couple certificate/key for the ssl support.

  • Create the CA certificate (valid 10 years)

openssl req -new -days 3560 > <name of server>.csr

  • Split of the certificate and the key

openssl rsa -in privkey.pem -out <name of server>.key

  • Generate the self-signed certificate for the web server

openssl x509 -in <name of server>.csr -out <name of web server>.cert -req -signkey <name of server>.key -days 3560

  • Move the files on the right directories

mv <name of server>.cert /etc/pki/tls/certs/
mv <name of server>.key /etc/pki/tls/private/

VirtualHost config

Create an istance for a VirtualHost using the same informations you have for a plain VirtualHost. if you have a istance like this: 

<VirtualHost <ip>:80>
    ServerAdmin webmaster@<dmain>
    ServerName <name.domain>
    ServerAlias <name>

    DocumentRoot /var/www/html

    ErrorLog  /var/log/httpd/<xxx>.error_log
    CustomLog /var/log/httpd/<xxx>.access_log combined

    .....

</VirtualHost>

copy it to a second istance with these modifications 

<VirtualHost 128.178.70.2:443>
    ServerAdmin webmaster@<domain>
    ServerName <name.domain>
    ServerAlias <name>

    DocumentRoot /var/www/html

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /etc/pki/tls/certs/<name of web server>.cert
    SSLCertificateKeyFile /etc/pki/tls/private/<name of web server>.key

    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    ErrorLog  /var/log/httpd/<xxx>.error_log
    CustomLog /var/log/httpd/<xxx>.access_log combined
    
    ......

</VirtualHost>

As you can see the main differences are the change of the port (443 instead of 80) in the VirtualHost definition and the SSLxxx line added.
Pay particular attention to the SSLCertificateFile and SSLCertificateKeyFile lines. Here you have to indicate the correct path to the certificate and the key file you created above.

Restart the httpd server.

From now, if you connect to https:<name of server web> you are asked to accept the certificate (the Self-Signed certificate aren't automatically accepted by browsers. After the acceptance your web session is encrypted with the ssl protocol.

Basic Information

Below are the base instruction we used (found somewhere on the net): 

Hi Guys,
I got my latest SVN 1.3.2 working on FC5 with Apache 2.2.0 over SSL,
so decided to just share the same with all.
Here we go,

1) To install SVN do
yum install subversion.

2) To create a SSL certificate for Apache do -
Step one - create the key and request:
openssl req -new > new.cert.csr

Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key

Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1024
place the keys to following locations & edit the /etc/httpd/conf.d/ssl.conf as follows -

SSLCertificateFile /etc/pki/tls/certs/new.cert.cert
SSLCertificateKeyFile /etc/pki/tls/private/new.cert.key

Test the certificate.

3) create /home/subversion/repository & /home/subversion/permissions

chown -R apache:apache /home/subversion/repository
svnadmin create /home/subversion/repository
svn import /tmp/project1 file:///home/subversion/repository/project1 -m "initial import"
svn checkout file:///home/subversion/repository/project1 project1

4) Edit httpd.conf as follows

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule dav_module modules/mod_dav.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn>
DAV svn
SVNPath /home/subversion/repository/
# our access control policy
AuthzSVNAccessFile /home/subversion/permissions/svnauthorz.conf
#how to authenticate the users
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /var/www/.htpasswd
# only authenticated users access the SVN
Require valid-user
SSLRequireSSL
</Location>
administration/apache-https.txt · Last modified: 2008/01/29 13:24 by damir